diff options
author | Dominick Grift <dominick.grift@gmail.com> | 2012-10-10 14:14:19 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-10-10 21:47:43 +0200 |
commit | cc1683486de4e0322e5070e02ed3d85b2dc629f4 (patch) | |
tree | fe03a55b77059d7a77beb1f4fae096363b2aa783 | |
parent | Tab clean up in logrotate file context file (diff) | |
download | hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.gz hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.tar.bz2 hardened-refpolicy-cc1683486de4e0322e5070e02ed3d85b2dc629f4.zip |
Changes to the logrotate policy module and relevant dependencies
Ported from Fedora with changes
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
-rw-r--r-- | policy/modules/contrib/awstats.if | 20 | ||||
-rw-r--r-- | policy/modules/contrib/awstats.te | 2 | ||||
-rw-r--r-- | policy/modules/contrib/callweaver.if | 39 | ||||
-rw-r--r-- | policy/modules/contrib/callweaver.te | 2 | ||||
-rw-r--r-- | policy/modules/contrib/chronyd.if | 19 | ||||
-rw-r--r-- | policy/modules/contrib/chronyd.te | 2 | ||||
-rw-r--r-- | policy/modules/contrib/logrotate.fc | 3 | ||||
-rw-r--r-- | policy/modules/contrib/logrotate.if | 16 | ||||
-rw-r--r-- | policy/modules/contrib/logrotate.te | 127 | ||||
-rw-r--r-- | policy/modules/contrib/polipo.if | 30 | ||||
-rw-r--r-- | policy/modules/contrib/polipo.te | 2 |
11 files changed, 192 insertions, 70 deletions
diff --git a/policy/modules/contrib/awstats.if b/policy/modules/contrib/awstats.if index 68313eda..68616dd9 100644 --- a/policy/modules/contrib/awstats.if +++ b/policy/modules/contrib/awstats.if @@ -2,6 +2,26 @@ ######################################## ## <summary> +## Execute the awstats program in +## the awstats domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`awstats_domtrans',` + gen_require(` + type awstats_t, awstats_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, awstats_exec_t, awstats_t) +') + +######################################## +## <summary> ## Read and write awstats unnamed pipes. (Deprecated) ## </summary> ## <param name="domain"> diff --git a/policy/modules/contrib/awstats.te b/policy/modules/contrib/awstats.te index 8e2ed97e..8e8432c3 100644 --- a/policy/modules/contrib/awstats.te +++ b/policy/modules/contrib/awstats.te @@ -1,4 +1,4 @@ -policy_module(awstats, 1.4.1) +policy_module(awstats, 1.4.2) ######################################## # diff --git a/policy/modules/contrib/callweaver.if b/policy/modules/contrib/callweaver.if index fcf96f90..16f1855f 100644 --- a/policy/modules/contrib/callweaver.if +++ b/policy/modules/contrib/callweaver.if @@ -2,6 +2,45 @@ ######################################## ## <summary> +## Execute callweaver in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`callweaver_exec',` + gen_require(` + type callweaver_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, callweaver_exec_t) +') + +######################################## +## <summary> +## Connect to callweaver over a +## unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`callweaver_stream_connect',` + gen_require(` + type callweaver_t, callweaver_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) +') + +######################################## +## <summary> ## All of the rules required to ## administrate an callweaver environment. ## </summary> diff --git a/policy/modules/contrib/callweaver.te b/policy/modules/contrib/callweaver.te index bfdbe388..528051e7 100644 --- a/policy/modules/contrib/callweaver.te +++ b/policy/modules/contrib/callweaver.te @@ -1,4 +1,4 @@ -policy_module(callweaver, 1.0.1) +policy_module(callweaver, 1.0.2) ######################################## # diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if index 0bf3ca7a..32e8265c 100644 --- a/policy/modules/contrib/chronyd.if +++ b/policy/modules/contrib/chronyd.if @@ -138,6 +138,25 @@ interface(`chronyd_dgram_send',` dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ') +######################################## +## <summary> +## Read chronyd key files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_read_key_files',` + gen_require(` + type chronyd_keys_t; + ') + + files_search_etc($1) + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) +') + #################################### ## <summary> ## All of the rules required to diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 8582a53b..914ee2d2 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -1,4 +1,4 @@ -policy_module(chronyd, 1.1.3) +policy_module(chronyd, 1.1.4) ######################################## # diff --git a/policy/modules/contrib/logrotate.fc b/policy/modules/contrib/logrotate.fc index d5eac78b..a11d5be9 100644 --- a/policy/modules/contrib/logrotate.fc +++ b/policy/modules/contrib/logrotate.fc @@ -2,8 +2,5 @@ /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) -ifdef(`distro_debian',` /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -',` /var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) -') diff --git a/policy/modules/contrib/logrotate.if b/policy/modules/contrib/logrotate.if index 9cd6b0b8..dd8e01af 100644 --- a/policy/modules/contrib/logrotate.if +++ b/policy/modules/contrib/logrotate.if @@ -1,4 +1,4 @@ -## <summary>Rotate and archive system logs</summary> +## <summary>Rotates, compresses, removes and mails system log files.</summary> ######################################## ## <summary> @@ -21,8 +21,9 @@ interface(`logrotate_domtrans',` ######################################## ## <summary> -## Execute logrotate in the logrotate domain, and -## allow the specified role the logrotate domain. +## Execute logrotate in the logrotate +## domain, and allow the specified +## role the logrotate domain. ## </summary> ## <param name="domain"> ## <summary> @@ -38,11 +39,11 @@ interface(`logrotate_domtrans',` # interface(`logrotate_run',` gen_require(` - type logrotate_t; + attribute_role logrotate_roles; ') logrotate_domtrans($1) - role $2 types logrotate_t; + roleattribute $2 logrotate_roles; ') ######################################## @@ -84,7 +85,8 @@ interface(`logrotate_use_fds',` ######################################## ## <summary> -## Do not audit attempts to inherit logrotate file descriptors. +## Do not audit attempts to inherit +## logrotate file descriptors. ## </summary> ## <param name="domain"> ## <summary> @@ -102,7 +104,7 @@ interface(`logrotate_dontaudit_use_fds',` ######################################## ## <summary> -## Read a logrotate temporary files. +## Read logrotate temporary files. ## </summary> ## <param name="domain"> ## <summary> diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index 7090dae7..1c941d3d 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -1,18 +1,20 @@ -policy_module(logrotate, 1.14.0) +policy_module(logrotate, 1.14.1) ######################################## # # Declarations # +attribute_role logrotate_roles; +roleattribute system_r logrotate_roles; + type logrotate_t; +type logrotate_exec_t; domain_type(logrotate_t) domain_obj_id_change_exemption(logrotate_t) domain_system_change_exemption(logrotate_t) -role system_r types logrotate_t; - -type logrotate_exec_t; domain_entry_file(logrotate_t, logrotate_exec_t) +role logrotate_roles types logrotate_t; type logrotate_lock_t; files_lock_file(logrotate_lock_t) @@ -23,27 +25,21 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) +mta_base_mail_template(logrotate) +role system_r types logrotate_mail_t; + ######################################## # # Local policy # -# Change ownership on log files. -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; -# for mailx -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; - -allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - -# Set a context other than the default one for newly created files. -allow logrotate_t self:process setfscreate; - +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; +allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow logrotate_t self:fd use; +allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; -allow logrotate_t self:unix_dgram_socket create_socket_perms; -allow logrotate_t self:unix_stream_socket create_stream_socket_perms; allow logrotate_t self:unix_dgram_socket sendto; -allow logrotate_t self:unix_stream_socket connectto; +allow logrotate_t self:unix_stream_socket { accept connectto listen }; allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; @@ -52,64 +48,61 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) -can_exec(logrotate_t, logrotate_tmp_t) - manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) -# for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) +read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) +can_exec(logrotate_t, logrotate_tmp_t) + kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) -dev_read_urand(logrotate_t) - -fs_search_auto_mountpoints(logrotate_t) -fs_getattr_xattr_fs(logrotate_t) -fs_list_inotifyfs(logrotate_t) - -mls_file_read_all_levels(logrotate_t) -mls_file_write_all_levels(logrotate_t) -mls_file_upgrade(logrotate_t) - -selinux_get_fs_mount(logrotate_t) -selinux_get_enforce_mode(logrotate_t) - -auth_manage_login_records(logrotate_t) -auth_use_nsswitch(logrotate_t) - -# Run helper programs. corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) +corecmd_getattr_all_executables(logrotate_t) + +dev_read_urand(logrotate_t) domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) domain_getattr_all_entry_files(logrotate_t) -# Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) -files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t) files_read_var_lib_files(logrotate_t) -# Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) +files_dontaudit_list_mnt(logrotate_t) + +fs_search_auto_mountpoints(logrotate_t) +fs_getattr_xattr_fs(logrotate_t) +fs_list_inotifyfs(logrotate_t) + +mls_file_read_all_levels(logrotate_t) +mls_file_write_all_levels(logrotate_t) +mls_file_upgrade(logrotate_t) +mls_process_write_to_clearance(logrotate_t) + +selinux_get_fs_mount(logrotate_t) +selinux_get_enforce_mode(logrotate_t) + +auth_manage_login_records(logrotate_t) +auth_use_nsswitch(logrotate_t) -# cjp: why is this needed? init_domtrans_script(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) -# cjp: why is this needed? logging_exec_all_logs(logrotate_t) miscfiles_read_localization(logrotate_t) @@ -120,21 +113,12 @@ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -cron_system_entry(logrotate_t, logrotate_exec_t) -cron_search_spool(logrotate_t) - -mta_send_mail(logrotate_t) - -ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; - # for savelog +ifdef(`distro_debian',` + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; can_exec(logrotate_t, logrotate_exec_t) - # for syslogd-listfiles - logging_read_syslog_config(logrotate_t) - - # for "test -x /sbin/syslogd" logging_check_exec_syslog(logrotate_t) + logging_read_syslog_config(logrotate_t) ') optional_policy(` @@ -158,14 +142,28 @@ optional_policy(` ') optional_policy(` + awstats_domtrans(logrotate_t) +') + +optional_policy(` bind_manage_cache(logrotate_t) ') optional_policy(` + callweaver_exec(logrotate_t) + callweaver_stream_connect(logrotate_t) +') + +optional_policy(` consoletype_exec(logrotate_t) ') optional_policy(` + cron_system_entry(logrotate_t, logrotate_exec_t) + cron_search_spool(logrotate_t) +') + +optional_policy(` cups_domtrans(logrotate_t) ') @@ -178,6 +176,10 @@ optional_policy(` ') optional_policy(` + chronyd_read_key_files(logrotate_t) +') + +optional_policy(` icecast_signal(logrotate_t) ') @@ -200,9 +202,12 @@ optional_policy(` ') optional_policy(` - psad_domtrans(logrotate_t) + polipo_log_filetrans_log(logrotate_t, file, "polipo") ') +optional_policy(` + psad_domtrans(logrotate_t) +') optional_policy(` samba_exec_log(logrotate_t) @@ -221,10 +226,20 @@ optional_policy(` ') optional_policy(` - #Red Hat bug 564565 su_exec(logrotate_t) ') optional_policy(` varnishd_manage_log(logrotate_t) ') + +####################################### +# +# Mail local policy +# + +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + +logging_read_all_logs(logrotate_mail_t) + +mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) diff --git a/policy/modules/contrib/polipo.if b/policy/modules/contrib/polipo.if index d20e1b1e..ae27bb7f 100644 --- a/policy/modules/contrib/polipo.if +++ b/policy/modules/contrib/polipo.if @@ -71,6 +71,36 @@ interface(`polipo_initrc_domtrans',` ######################################## ## <summary> +## Create specified objects in generic +## log directories with the polipo +## log file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`polipo_log_filetrans_log',` + gen_require(` + type polipo_log_t; + ') + + logging_log_filetrans($1, polipo_log_t, $2, $3) +') + +######################################## +## <summary> ## All of the rules required to ## administrate an polipo environment. ## </summary> diff --git a/policy/modules/contrib/polipo.te b/policy/modules/contrib/polipo.te index 2f6f8682..316d53a3 100644 --- a/policy/modules/contrib/polipo.te +++ b/policy/modules/contrib/polipo.te @@ -1,4 +1,4 @@ -policy_module(polipo, 1.0.3) +policy_module(polipo, 1.0.4) ######################################## # |